Corporate computing assets, such as laptops, phones, PDAs, etc., are utilized outside corporate firewalls today more than before. With ever more employees either working from home or “on the road,” controlling and managing corporate information technology (IT) assets is becoming a difficult or serious problem. It is especially complicated when assets are lost or stolen which can compromise corporate data stored on the device.
While full disk encryption (FDE) is but one technique to combat the loss of data on a lost or stolen device, some users and corporations would rather have the data destroyed immediately upon detection instead of relying solely on encryption techniques. In other emerging technologies, data destruction has been developed but the means for accomplishing this are associated with remote hardware diagnosis and troubleshooting unrelated to security actions.
In other technologies, select options are offered that are tied to one type of implementation, such as Trusted Platform Modules (TPM) storing keys, Smart Card/USB device certificate and authentication validation, as well as standard “two factor” authentication. However, these are limited to one implementation only and are not centrally controlled and/or rigidly enforced by policy. In two factor authentication, useful to help remotely debug troublesome endpoints, reliance is placed upon either network communication (layer 2 (MAC) or layer 3 (IP)) to the endpoint, 802.1X authentication and information exchange, or some type of “pre-boot” Operating System (PBOS). These means, however, have not been associated with options for ultimately deleting the data in its entirety or rendering it inaccessible. With the advent of virtual computing devices, such problems are only exacerbated since a single hardware platform will often guest many virtual computing devices, each with its own operating system (potentially vastly different from one another), drivers, interfaces, applications, etc., and its own corporate data.
Accordingly, a need exists in the art of protecting encrypted data of endpoint computing assets for ensured destruction or inaccessibility. Also, such need extends to better managing the keys used to decrypt the data. Even more, the need should extend to virtual environments, each with many domains per a single hardware platform, to mobile environments as assets move about during use, and to leveraging existing technologies. Naturally, any improvements should further contemplate good engineering practices, such as ease of implementation, unobtrusiveness, stability, etc.